The new science of meta analytics (MA) has been formalised to enable broad oversight of data and processes, with key objectives of supporting governance thereof, proving compliance, achieving alignment and leveraging efficiencies.

As governance and compliance becomes an increasingly top of mind issue for data stewards and their enterprises alike, the challenge of mapping governance, risk management and compliance (GRC) rules to the data and processes has come to the fore.

Where once, companies tended to focus on the content (the data itself) rather than its containers (the metadata), management of metadata is now becoming a key focus.

Metadata, covering factors such as data and process context, design and specifications, execution information might accurately be described as the 'information about data'. Metadata management has become a science in itself.

However, in South Africa, systems analysts, database administrators or systems administrators still tend to interrogate metadata at a fairly basic and technical level for operational purposes.

Mapping for GRC

Linking metadata to GRC rules, the latter which are abstracted or prescribed from the organisation's PPSGs (policies, principles, procedures, standards, regulations and guidelines) has become increasingly important, since it allows for the mapping of metadata directly to organisational capabilities, services, processes, data objects, workflows, service/business units and individuals.

In doing so, it provides a clear view of the business and operational architectural landscapes and data life-cycles. Furthermore, the mappings link in confirmatory communiques and audit trails, as evidence of compliance, action or conformance to the rules (PPSGs).

Typically, the processes and data within computer application systems are designed, built and mapped based on functional and information requirements, often not considering vertical lineage to business processes, workflows or services, mapping to PPSG (GRC) rules, inclusion of risk management factors and linking to architectural model and capabilities.

These are usually managed separately by a different competency team and set of tools; eg, business process management or data modelling tools. The operational processes that result from this situation are often disjointed, manual and non-aligned to the PPSGs.

Evidence is there of mappings being done for audit purpose, but on a small-scale, ad hoc basis, the practice of which is not sustained and usually does not link directly to the business and operational roles of individuals on the ground tasked with operating in alignment with particular PPSGs.

When called on to produce evidence of compliance or conformance to the PPSGs, business units, departments and IT must often rush to map processes and surface execution evidence of the rules on data to prove compliance with POPI, FICA, other legislation or internal standards.

This process is time-consuming and challenging, and even though the department can produce mapping and recon reports, it can seldom show exactly which actions were taken where, to align with which GRC rules and the risk of not applying these.

The evolution of MA

GRC mapper tools tend to have limited capabilities: simply linking an accord, condition or service. Moving beyond these rudimentary capabilities is becoming increasingly important as businesses depend more heavily on the quality of their data and processing economy, and GRC compliance/conformance becomes crucial.

The mapping process can be a lengthy one, but fortunately, it's a once-off exercise with updates thereafter as the landscapes change/improve. The process identifies the PPSGs in scope and steps thereof. The steps constitute RCCSs (rules, conditions, checks, controls, constraints, technical standards) or actions, as it should be applied in the lineage of the services and/or system processes and roles involved.

The RCCSs are plotted against a data management life-cycle (DMLC) for the data being processed and linked to organisational capabilities. This gives cross-sectional views of the RCCSs against PPSGs, services, processes, DMLCs and architectural components; eg, data models.

The advantages of MA

The MA methodology gives enterprises insights of gaps or dispositions within the landscape, to data life-cycles, how GRC (PPSG) rules are articulated and where, where processes are duplicated/overlapped, who is involved in which processes, when rules are executed (actions) and enables risk analysis. All of this to support efficiencies (eg, where services or processes could be merged) and prove compliance.

MA shows the affinities of roles and activities, indicates automated or manual processes. It also allows enterprises to attach risk weights to PPSGs, services or individual processes, and attach processes to competency teams or architectural capabilities.

When linked to actual metadata (like system execution logs, e-mail communiques or signed documents) MA delivers evidence that all necessary steps (rules) are being executed.

From a data governance point of view, data stewards and analysts will use MA to determine at any point in time who is using what data and in which processes; or they could gain insights such as the last execution date of a process or the date of the last confirmation e-mail.

This allows for the surfacing of many gaps in compliance and support for the identification of risks associated with not applying rules in line with the guidelines. It also allows for the identification of dispositions and mavericks, and supports investigations.

With MA, ad hoc mapping on demand becomes a thing of the past: if a chief data officer wanted to see a synopsis of all automated and manual processes or gauge compliance risk, they could use these mappings to view the environment in a single step.

MA enables data stewards or business unit managers to interrogate exactly what happens to their customer data during its life-cycle. MA supports back-end efficiency, enhanced customer experience, averts compliance risk and, of course, enables proactive oversight of the entire environment. As a welcome by-product, MA also surfaces gaps and dispositions, or misalignments between the operations and business environments, which is good for efficiency and complementary to change and project management.

MA brings a new approach to giving oversight for compliance and for surfacing gaps and inefficiencies, not just at a technical level, but also at a business level. It helps enhance both data and processes, and delivers better data for better business.

Mervyn Mooi is a director of Knowledge Integration Dynamics (KID), and also a key resource within the company's information management, data warehousing and business intelligence teams.
He has been in the IT industry for 36 years, beginning his career as an operator at the CICS bureau in Johannesburg in the early 1980s. Thereafter, he was appointed as a programmer at state-owned oil exploration and production company SOEKOR. In 1986, Mooi joined Anglo American's head office IT department where he remained for almost 12 years. Here he progressed to become a senior programmer, analyst, database administrator and technical support specialist.
After completing his degree in informatics, he then left to join Software Futures, where he worked as a senior consultant for 18 months in the data warehousing and business intelligence arena.
Mooi joined KID in 1999 as a data warehouse and business intelligence specialist. Mooi's experience in ICT disciplines includes operations, business and systems analysis, application development, database administration, data governance/management, data architecture/modelling, production application and systems software support, data warehousing and business intelligence. He now focuses on enterprise information management, information governance and cloud solutions.